Patch Tuesday

Microsoft published today the June 2017 Patch Tuesday, which patches over 90 security flaws, including two vulnerabilities used in live attacks.

Windows Search Remote Code Execution Vulnerability

The first of these vulnerabilities is tracked as CVE-2017-8543. Microsoft describes the issue as following:

A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit the vulnerability, the attacker could send specially crafted SMB messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.

The security update addresses the vulnerability by correcting how Windows Search handles objects in memory.

Patches for this flaw are available for all of Microsoft's operating systems, including old versions, such as XP and Server 2003.

LNK Remote Code Execution Vulnerability

The second vulnerability detected in live attacks is tracked as CVE-2017-8464 and Microsoft describes it as following:

A remote code execution exists in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The attacker could present to the user a removable drive that contains a malicious shortcut file and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the target system.

The security update addresses the vulnerability by correcting validation of shortcut icon references.

Unlike the first, this issue doesn't affect XP and older Windows versions. None of these two flaws have been publicly disclosed.

Below is a summary of all the major security updates from Microsoft's June 2017 Patch Tuesday.

KB3118389 - Security update for Office 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509.

KB3127888 - Security update for PowerPoint 2007

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8513.

KB3127894 - Security update for Microsoft Office Compatibility Pack Service Pack 3

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8513.

KB3162051 - Security update for Office 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509.

KB3172445 - Security update for SharePoint Server 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8511 and CVE-2017-8512.

KB3178667 - Security update for Office 2016

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft CVE-2017-8509.

KB3191828 - Security update for 2007 Microsoft Office Suite

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-0282, CVE-2017-0284, and CVE-2017-0285.

KB3191837 - Security update for 2007 Microsoft Office Suite

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-0283.

KB3191844 - Security update for Office 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-0283.

KB3191848 - Security update for Office 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-0282, CVE-2017-0284, and CVE-2017-0285.

KB3191882 - Security update for Office 2016

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft CVE-2017-8509.

KB3191898 - Security update for Outlook 2007

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8506, CVE-2017-8507, and CVE-2017-8508.

KB3191908 - Security update for Office 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft CVE-2017-8509.

KB3191932 - Security update for Outlook 2016

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8506, CVE-2017-8507, and CVE-2017-8508.

KB3191938 - Security update for Outlook 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8506, CVE-2017-8507, and CVE-2017-8508.

KB3191939 - Security update for Skype for Business 2015

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-0283.

KB3191943 - Security update for Office 2016

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft CVE-2017-8509.

KB3191944 - Security update for Office 2016

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8511 and CVE-2017-8512.

KB3191945 - Security update for Word 2016

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509 and CVE-2017-0292.

KB3203382 - Security update for Skype for Business 2016

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-0283.

KB3203384 - Security update for Word Automation Services on SharePoint Server 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509, CVE-2017-8511, and CVE-2017-8512.

KB3203386 - Security update for Office 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8511 and CVE-2017-8512.

KB3203387 - Security update for SharePoint Server 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509 and ADV170008.

KB3203390 - Security update for Excel Services on SharePoint Server 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509, CVE-2017-8511, and CVE-2017-8512.

KB3203391 - Security update for Office Web Apps Server 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509, CVE-2017-8511, and CVE-2017-8512.

KB3203393 - Security update for Word 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509.

KB3203399 - Security update for Project Server 2013

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8551.

KB3203427 - Security update for Word Viewer

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-0283.

KB3203432 - Security update for SharePoint Server 2016

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see ADV170008, CVE-2017-8509, CVE-2017-8511, CVE-2017-8512, and CVE-2017-8514.

KB3203436 - Security update for 2007 Microsoft Office Suite

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8512.

KB3203438 - Security update for Microsoft Office Compatibility Pack Service Pack 3

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509.

KB3203441 - Security update for Word 2007

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509.

KB3203460 - Security update for Office 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509, CVE-2017-8511, and CVE-2017-8512.

KB3203463 - Security update for Office 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509.

KB3203464 - Security update for Word 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509.

KB3203466 - Security update for SharePoint Server 2010 Office Web Apps

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509, CVE-2017-8511, and CVE-2017-8512.

KB3203467 - Security update for Outlook 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8506, CVE-2017-8507, and CVE-2017-8508.

KB3203458 - Security update for SharePoint Server 2010

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8509 and CVE-2017-8512

KB3203485 - Security update for Office Online Server

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see CVE-2017-8511, CVE-2017-8512, and CVE-2017-8509.

KB3217845 - Hypervisor code integrity elevation of privilege vulnerability

An elevation of privilege vulnerability exists when Windows Hyper-V instruction emulation fails to properly enforce privilege levels. An attacker who successfully exploited this vulnerability could gain elevated privileges on a target guest operating system. The host operating system is not vulnerable to this attack. To learn more about the vulnerability, see CVE-2017-0193.

KB3212223 - Security update for Office for Mac 2011 14.7.5

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2017-8509 and CVE-2017-8511.

KB4018106 - Microsoft Office remote code execution

A remote code execution vulnerability exists when Microsoft Office improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To learn more about the vulnerability, see CVE-2017-0260.

KB4019204 - Security update for the Windows win32k Information Disclosure Vulnerability in Windows Server 2008

An information disclosure vulnerability exists when the win32k component incorrectly provides kernel information. An attacker who successfully exploits the vulnerability could obtain information to further compromise the user’s system.

KB4020732, KB4020733, KB4020734, KB4020736 - No info

KB4021903 - LNK remote code execution vulnerability

Described above.

KB4021923 - Windows TDX elevation of privilege vulnerability

An elevation of privilege vulnerability exists when tdx.sys fails to check the length of a buffer prior to copying memory to the buffer. To exploit the vulnerability, in a local attack scenario, an attacker could run a specially crafted application to elevate the attacker's privilege level. An attacker who successfully exploited this vulnerability could run processes in an elevated context. However, an attacker must first gain access to the local system with the ability to execute a malicious application in order to exploit this vulnerability. The security update addresses the vulnerability by changing how tdx.sys validates buffer length. To learn more about the vulnerability, go to CVE-2017-0296.

KB4022008 - Windows remote code execution vulnerability

A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver. The update addresses the vulnerability by correcting how Windows handles cabinet files. To learn more about the vulnerability, go to CVE-2017-0294.

KB4022010 - Windows kernel information disclosure vulnerability

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. To exploit this vulnerability, an authenticated attacker could run a specially crafted application. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. The update addresses the vulnerability by correcting how the Windows kernel initializes objects in memory. To learn more about the vulnerability, see CVE-2017-8488.

KB4022013 - Windows kernel information disclosure vulnerability

An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, allowing an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. To learn more about the vulnerability, see  CVE-2017-8481.

KB4022714

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addressed issue where, after installing KB3164035, users cannot print enhanced metafiles (EMF) or documents containing bitmaps rendered out of bounds using the BitMapSection(DIBSection) function.    
  • Addressed issue where certutil.exe can no longer generate an export file (.epf) when attempting to recover a key for a version 1 certificate.    
  •  Addressed additional issues with updated time zone information, updates to the Access Point Name (APN) database and Internet Explorer.
  • Security updates to Microsoft Scripting Engine, Microsoft Edge, Windows COM, Windows kernel, Windows kernel-mode drivers, Microsoft Uniscribe, Microsoft Graphics Component, Windows Shell, Microsoft Windows PDF and Internet Explorer.

KB4022715

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addressed issue where, after installing KB3164035, users cannot print enhanced metafiles (EMF) or documents containing bitmaps rendered out of bounds using the BitMapSection(DIBSection) function.  
  • Addressed issue where users may fail to access the Internet using a non-Microsoft proxy device after enabling Credential guard. The failure happens when NTLMv2 is used and the server does not send target information (TargetNameFields is 0) inside the NTLM CHALLENGE MESSAGE. 
  • Addressed issue where some Windows clients with Windows Information Protection (WIP) enabled cannot access their secured documents, such as protected documents or mail files. This may occur when the client connects to the enterprise network both directly and remotely (such as with a VPN connection). 
  • Addressed issue where Internet Explorer crashes when the Microsoft Active Accessibility application is running in the background.   
  • Addressed issue where adding a < select > element to the body of a JavaScript application crashes the application when users click the select box. 
  • Addressed an issue where certutil.exe could no longer generate an EPF file when attempting to recover a key for a version 1 style certificate. 
  • Addressed an issue where the network interface description name of a network adapter is not updated in Hyper-V after a device driver update. Management of a NIC Team or vSwitch within Hyper-V Administrator or System Center Virtual Machine Manager may be affected. 
  • Addressed issue where the Privacy Separator feature of a Wireless Access Point does not block communication between wireless devices on local subnets. 
  • Addressed issue that was causing devices to crash when hot plugging USB 3.0 Network Adapters
  • Addressed an issue where users on Windows 7 SP1 clients connecting to a Windows Server 2016 based domain controller cannot run applications such as Internet Explorer for a period of approximately 10 minutes after logging on. This issue occurs after upgrading the enterprise domain controllers to Windows Server 2016. 
  • Addressed an issue where Cluster health service fails to report fault event to MAS HM component. 
  • Addressed an issue that was not allowing users to customize the Application list in their Start menu using the Remove All Programs list from the Start menu setting.
  • Updated iDNA table to support resolving latest Unicode emoji characters from Punycode.
  • Addressed issue where after installing KB4019472, the end-user-defined characters (EUDCs) is not displayed.
  • Addressed additional issues with updated time zone information, storage file system, Windows Update logs, USB, Start menu and taskbar and Windows Shell.
  • Security updates to Microsoft Uniscribe, Windows kernel, Windows kernel-mode drivers, Microsoft Graphics Component, Internet Explorer, Windows Shell, Microsoft Windows PDF, Device Guard and Microsoft Edge.

KB4022717

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addressed issue where, after installing KB3170455 (MS16-087), users have difficulty importing printer drivers and get errors with error code 0x80070bcb.
  • Addressed a rare issue where mouse input can cease to function. The mouse pointer may continue to move, but movements and clicks produce no response other than a beeping noise.
  • Addressed issue where printing a document using a 32-bit application can crash a Print Server in a call to nt!MiGetVadWakeList.
  • Addressed issue where an unsupported hardware notification is shown and Windows Updates not scanning, for systems using the AMD Carrizo DDR4 processor or Windows Server 2012 R2 systems using Xeon E3V6 processor. For the affected system, follow the steps in the Additional Information section below to install this update.
  • Security updates to Microsoft Windows PDF, Windows shell, Windows Kernel, Microsoft Graphics Component, Microsoft Uniscribe, Microsoft Scripting Engine, Windows COM, and Windows Kernel-Mode Drivers.

KB4022718

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addressed issue where, after installing KB3164035, users cannot print enhanced metafiles (EMF) or documents containing bitmaps rendered out of bounds using the BitMapSection(DIBSection) function.
  • Security updates to Microsoft Windows PDF, Windows shell, Windows Kernel, Microsoft Graphics Component, Microsoft Uniscribe and Windows Kernel-Mode Drivers.

KB4022722

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addressed issue where, after installing KB3164035, users cannot print enhanced metafiles (EMF) or documents containing bitmaps rendered out of bounds using the BitMapSection(DIBSection) function.
  • Addressed issue where updates were not correctly installing all components and would prevent them from booting.
  • Addressed issue where an unsupported hardware notification is shown and Windows Updates not scanning, for systems using the AMD Carrizo DDR4 processor. For the affected systems, follow the steps in the Additional Information section to install this update.
  • Security updates to Windows kernel, Microsoft Graphics Component, Microsoft Uniscribe, Windows kernel-mode drivers, the Windows OS, Windows COM and Windows shell.

KB4022725

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addressed issue where the user may need to press the space bar to dismiss the lock screen on a Windows 10 machine to log in, even after the logon is authenticated using a companion device.
  • Addressed issue with slow firewall operations that sometimes results in timeouts of Surface Hub's cleanup operation. 
  • Addressed issue with a race condition that prevents Cortana cross-device notification reply from working; users will not be able to use the remote toast activation feature set.  
  • Addressed issue where the Privacy Separator feature of a Wireless Access Point does not block communication between wireless devices on local subnets. 
  • Addressed issue on the Surface Hub device where using ink may cause a break in the touch trace that could result in a break in inks from the pen.
  • Addressed issue where Internet Explorer 11 may ignore the “Send all sites not included in the Enterprise Mode Site List to Microsoft Edge” policy when opening a Favorites link.
  • Addressed additional issues with time-zone information and Internet Explorer.
  •  Security updates to Windows kernel, Microsoft Windows PDF, Windows kernel-mode drivers, Microsoft Uniscribe, Device Guard, Internet Explorer, Windows Shell, and Microsoft Edge.

KB4022727

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addressed issue where, after installing KB3164035, users cannot print enhanced metafiles (EMF) or documents containing bitmaps rendered out of bounds using the BitMapSection (DIBSection) function. 
  • Addressed issue where displays turn off unexpectedly even when “Turn off display” is set to “Never” in Power Options. 
  • Addressed issue where certutil.exe can no longer generate an export file (.epf) when attempting to recover a key for a version 1 certificate. 
  • Addressed issue where MSI files will no longer install when Device Guard is enabled. 
  • Addressed issue where you eventually experience a stop error, “Read disturbance”, on your storage device when Unified Write Filter is enabled.  
  • Addressed issue where a thin client becomes unusable and unresponsive when Unified Write Filter (UWF) with DISK mode is enabled causing NTFS errors with ID: 55 & ID: 130 to be logged in the Event Logs.
  • Addressed additional issues with updated time zone information and updates to the Access Point Name (APN) database.
  • Security updates to Windows COM, Microsoft Uniscribe, Windows kernel, Windows kernel-mode drivers, Microsoft Graphics Component, Internet Explorer, Windows Shell, Microsoft Windows PDF, Device Guard and Microsoft Edge.

KB4022730 - Security update for Adobe Flash Player

Includes Adobe Flash Player security updates.

KB4022884 - Security update for Windows Server 2008

This security update resolves vulnerabilities in Windows Server 2008 that could allow information disclosure or remote code execution.

KB4023307 - Windows Uniscribe remote code execution vulnerability

This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. An attacker would have no way to force a user to visit a compromised website. Instead, an attacker would have to convince the user to visit the website, typically by enticing the user to click a link in either an email message or instant message that takes the user to the attacker's website. To learn more about the vulnerability, go to CVE-2017-0283.

KB4024402 - Windows Search vulnerabilities in Windows Server 2008

Described above. CVE-2017-8543.

Get patchin'! and don't forget about the XP and Server 2003 security updates.